Cloud Security Basics Every UK Business Should Have in Place

Cloud security does not have to be complicated

The majority of cloud security incidents are not sophisticated attacks. They are the result of basic controls not being in place — open S3 buckets, unused IAM users with active access keys, no MFA on the root account, or databases exposed directly to the internet.

These are not exotic problems. They show up in most environments that have never had a security review. And they are all straightforward to fix.

Here are the baseline controls every UK business should have in place.

1. Secure the root account

Your AWS root account has unrestricted access to everything in your AWS environment. If it is compromised, an attacker can do anything — spin up resources, exfiltrate data, lock you out of your own account.

Do this:

Enable MFA on the root account (use a hardware token or authenticator app, not SMS)
Do not create access keys for the root account
Do not use the root account for day-to-day operations — create IAM users or roles for all routine tasks
Store the root account credentials securely (password manager, offline backup of MFA recovery codes)

2. Apply least-privilege IAM

Identity and Access Management (IAM) is the foundation of AWS security. Most environments we review have IAM policies that are far too permissive — granting * on * is common.

Do this:

Review all IAM users, roles, and policies quarterly
Remove any policies granting AdministratorAccess unless genuinely required
Replace user-based access keys with IAM roles wherever possible (EC2 instance profiles, Lambda execution roles)
Enable IAM Access Analyzer to detect overly permissive policies automatically

3. Enable AWS CloudTrail in all regions

AWS CloudTrail records every API call made in your account — who did what, from where, and when. Without it, you cannot investigate incidents, and you cannot detect suspicious activity.

Do this:

Enable CloudTrail in all regions (not just your primary region)
Enable log file validation so you can detect if logs have been tampered with
Store CloudTrail logs in a separate, locked-down S3 bucket
Set a minimum retention period of 90 days (365 days is better)

4. Enable Amazon GuardDuty

Amazon GuardDuty analyses your CloudTrail logs, VPC Flow Logs, and DNS logs to detect threats automatically — unusual API calls, potential credential compromise, communication with known malicious IPs, and more.

It costs a few pence per day for most small accounts and requires no configuration beyond enabling it.

Do this:

Enable GuardDuty in every region you use
Configure GuardDuty findings to alert via Amazon SNS or your SIEM
Review findings monthly at minimum

5. Restrict public access to S3 buckets

S3 Block Public Access is a setting that prevents S3 buckets in your account from being made publicly accessible — even if someone accidentally configures a bucket policy incorrectly.

Do this:

Enable S3 Block Public Access at the account level
If you have public-facing buckets (e.g., for static website hosting), review them individually and ensure they contain only intentionally public content

6. Encrypt data at rest and in transit

All sensitive data should be encrypted, both when stored and when transmitted.

Do this:

Enable default encryption on all S3 buckets (AWS managed keys are fine as a minimum)
Enable encryption on RDS instances and EBS volumes
Enforce HTTPS for all public-facing services (use ACM certificates — they are free)
Use AWS Certificate Manager to automate certificate renewal

7. Restrict inbound network access

Security groups and network ACLs are your primary network-level controls. Default configurations are often far too permissive.

Do this:

Remove any security group rules that allow inbound access from 0.0.0.0/0 on ports that should not be public (SSH, RDP, database ports)
Use AWS Systems Manager Session Manager for remote access instead of opening SSH to the internet
Ensure databases are in private subnets — they should never be directly reachable from the internet

How to assess where you stand

The fastest way to understand your current security posture is to run AWS Trusted Advisor (available in the Business and Enterprise support tiers) or AWS Security Hub, which provides a consolidated security score across your entire account.

If you want an independent review, book a free Cloud Health Check. We will review your IAM configuration, network setup, logging, and encryption baseline, and give you a prioritised list of actions.

The most common finding? The controls above are partially in place but not consistently applied. Fixing that is usually a few hours of work — not weeks.

Cloud security does not have to be complicated

These are not exotic problems. They show up in most environments that have never had a security review. And they are all straightforward to fix.

Here are the baseline controls every UK business should have in place.

1. Secure the root account

Do this:

Enable MFA on the root account (use a hardware token or authenticator app, not SMS)
Do not create access keys for the root account
Do not use the root account for day-to-day operations — create IAM users or roles for all routine tasks
Store the root account credentials securely (password manager, offline backup of MFA recovery codes)

2. Apply least-privilege IAM

Identity and Access Management (IAM) is the foundation of AWS security. Most environments we review have IAM policies that are far too permissive — granting * on * is common.

Do this:

Review all IAM users, roles, and policies quarterly
Remove any policies granting AdministratorAccess unless genuinely required
Replace user-based access keys with IAM roles wherever possible (EC2 instance profiles, Lambda execution roles)
Enable IAM Access Analyzer to detect overly permissive policies automatically

3. Enable AWS CloudTrail in all regions

AWS CloudTrail records every API call made in your account — who did what, from where, and when. Without it, you cannot investigate incidents, and you cannot detect suspicious activity.

Do this:

Enable CloudTrail in all regions (not just your primary region)
Enable log file validation so you can detect if logs have been tampered with
Store CloudTrail logs in a separate, locked-down S3 bucket
Set a minimum retention period of 90 days (365 days is better)

4. Enable Amazon GuardDuty

It costs a few pence per day for most small accounts and requires no configuration beyond enabling it.

Do this:

Enable GuardDuty in every region you use
Configure GuardDuty findings to alert via Amazon SNS or your SIEM
Review findings monthly at minimum

5. Restrict public access to S3 buckets

S3 Block Public Access is a setting that prevents S3 buckets in your account from being made publicly accessible — even if someone accidentally configures a bucket policy incorrectly.

Do this:

Enable S3 Block Public Access at the account level
If you have public-facing buckets (e.g., for static website hosting), review them individually and ensure they contain only intentionally public content

6. Encrypt data at rest and in transit

All sensitive data should be encrypted, both when stored and when transmitted.

Do this:

Enable default encryption on all S3 buckets (AWS managed keys are fine as a minimum)
Enable encryption on RDS instances and EBS volumes
Enforce HTTPS for all public-facing services (use ACM certificates — they are free)
Use AWS Certificate Manager to automate certificate renewal

7. Restrict inbound network access

Security groups and network ACLs are your primary network-level controls. Default configurations are often far too permissive.

Do this:

Remove any security group rules that allow inbound access from 0.0.0.0/0 on ports that should not be public (SSH, RDP, database ports)
Use AWS Systems Manager Session Manager for remote access instead of opening SSH to the internet
Ensure databases are in private subnets — they should never be directly reachable from the internet

How to assess where you stand

If you want an independent review, book a free Cloud Health Check. We will review your IAM configuration, network setup, logging, and encryption baseline, and give you a prioritised list of actions.

The most common finding? The controls above are partially in place but not consistently applied. Fixing that is usually a few hours of work — not weeks.

AWS Services

AI & Automation

More

Cloud Security Basics Every UK Business Should Have in Place

Cloud security does not have to be complicated

1. Secure the root account

2. Apply least-privilege IAM

3. Enable AWS CloudTrail in all regions

4. Enable Amazon GuardDuty

5. Restrict public access to S3 buckets

6. Encrypt data at rest and in transit

7. Restrict inbound network access

How to assess where you stand

Ready to put these insights into practice?

Cloud Security Basics Every UK Business Should Have in Place

Cloud security does not have to be complicated

1. Secure the root account

2. Apply least-privilege IAM

3. Enable AWS CloudTrail in all regions

4. Enable Amazon GuardDuty

5. Restrict public access to S3 buckets

6. Encrypt data at rest and in transit

7. Restrict inbound network access

How to assess where you stand

Ready to put these insights into practice?